High

Remote Code Execution in Microsoft Office / Office for Android via Heap-Based Buffer Overflow

IdentifiersCVE-2026-42831CWE-122· Heap-based Buffer Overflow

CVE-2026-42831 is a critical heap-based buffer overflow vulnerability in Microsoft Office, including reporting that specifically identifies Office for Android as affected. The flaw is triggered when a victim opens a specially crafted malicious Office document. Microsoft describes the issue as allowing an unauthorized attacker to execute code locally; however, the attack scenario is document-based and attacker-driven, so the practical outcome is remote code execution on the victim device once the file is opened. Microsoft notes that the Preview Pane is not an attack vector. The available information does not identify the specific vulnerable function or parser component beyond the heap-based overflow condition.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution in the security context of the user who opens the malicious Office file. Based on the provided CVSS data, the vulnerability has high impact on confidentiality, integrity, and availability, meaning an attacker could potentially access data available to the user, modify data or application state, and disrupt normal operation of the affected application or device. Microsoft rated the issue Critical with CVSS 3.1 base score 7.8.

Mitigation

If you can’t patch tonight, do this now.

Until patches are fully deployed, reduce exposure by preventing users from opening untrusted or unsolicited Office documents, even if they appear to come from known contacts. Use email and web filtering to block or quarantine suspicious attachments, reinforce user awareness around malicious document lures, and limit execution of untrusted content through endpoint and application control policies where available. Microsoft specifically states that the Preview Pane is not an attack vector for this CVE.

Remediation

Patch, then assume compromise.

Apply Microsoft's official security updates for the affected Microsoft Office products, including affected Office for Android builds where applicable. Upgrade to the vendor-provided fixed versions released through Microsoft's security update channels. Prioritize patching endpoints that handle externally sourced Office documents.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft Corporation365 Copilotapplication

Microsoft CorporationOfficeapplication

Microsoft CorporationOffice Long Term Servicing Channelapplication

Microsoft CorporationOffice Macos 2021application

Microsoft CorporationOffice Macos 2024application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

arctic wolf blogNews

May 16, 2026

Microsoft Patch Tuesday: May 2026 - Arctic Wolf

A Microsoft Office/Word vulnerability exploitable through crafted documents.

arctic wolf blogNews

May 16, 2026

Microsoft Patch Tuesday: May 2026 - Arctic Wolf

An Office/Word vulnerability exploitable via crafted documents.

talos intelligence blogNews

May 12, 2026

Microsoft Patch Tuesday for May 2026 - Snort rules and prominent vulnerabilities

A critical heap-based buffer overflow vulnerability in Office for Android that allows local code execution when a user opens a malicious Office file.

msrc microsoftNews

May 12, 2026

CVE-2026-42831 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability

A critical heap-based buffer overflow remote code execution vulnerability in Microsoft Office that requires user interaction to open a malicious Office file; despite the RCE title, exploitation occurs locally on the victim machine.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-42831

NVD

nvd.nist.gov/vuln/detail/CVE-2026-42831

MITRE CWE · CWE-122

Heap-based Buffer Overflow

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42831